CentOS - Jul 2021 - It's been six days since CVD-2021-33909 was patched in RHEL, what's the holdup for Stream 8?

This bug in the kernel was patched in RHEL on 7/20. Every other mainstream Linux
distro patched it that day or the day after. That includes Rocky and Alma.

https://access.redhat.com/security/cve/CVE-2021-33909

It's still not patched six days later in CentOS Stream 8.

This Bugzilla entry makes it clear that when it comes to security, CentOS Stream
falls behind RHEL. But this far behind?

https://bugzilla.redhat.com/show_bug.cgi?id=1975182

This doesn't make a good argument for Stream being a viable CentOS Linux
replacement.

It's being worked on.  RHEL maintainers can fix things independently
in different minor version branches.  The fix was applied to the
internal 8.4 branch while it was under embargo.  It has since been
released in RHEL 8.4, which allowed it to be rebuilt in CentOS Linux
8.  CentOS Stream 8 is currently tracking the internal 8.5 branch,
which just had the fix merged yesterday, along with many other
changes, as kernel-4.18.0-326.el8.  That build is going through QA
now.  Once completed, it will be exported to git.centos.org and
rebuilt in CentOS Stream 8.  This is the "inside out" process
we've
referred to, and we know it's not ideal.  CentOS Stream 9 improves on
this significantly with RHEL maintainers doing their builds directly
in the CentOS project, in the public.

I'll also note this isn't something new.  We've been clear that RHEL
gets some security fixes first.  Typically it's only 1-2 days after
RHEL 8 that we'll have the corresponding fix out for CentOS Linux 8
and CentOS Stream 8.  No one is happy about how much longer this
particular update is taking.  The Stream model brings massive changes
to the RHEL workflows, so no one should be surprised that there are
growing pains.

On Mon, Jul 26, 2021 at 4:02 PM Steven Rosenberg via CentOS
<centos at centos.org> wrote:
>
> This bug in the kernel was patched in RHEL on 7/20. Every other mainstream
Linux distro patched it that day or the day after. That includes Rocky and Alma.
>
> https://access.redhat.com/security/cve/CVE-2021-33909
>
> It's still not patched six days later in CentOS Stream 8.
>
> This Bugzilla entry makes it clear that when it comes to security, CentOS
Stream falls behind RHEL. But this far behind?
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1975182
>
> This doesn't make a good argument for Stream being a viable CentOS
Linux replacement.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

-- 
Carl George

Carl summarized really well how code moves through RHEL and CentOS
Stream, and we?re working on making sure we publish a build that has
made it through the usual set of RHEL tests. -326 is a possible
candidate here.
Think about CentOS Stream as the development location for the next-minor
release of RHEL.??I?d like to highlight some of the general points
related to this discussion:
-?There are certain classes of CVE that we handle differently from
normal development work:
https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream
<https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream>
- Since these fixes need to go into RHEL first, getting them into the
development location (CentOS Stream) represents a separate set of work.?
- Our intent is to get CVE fixes like this into Stream as soon as
they?re available within the guidelines referenced in the FAQ
In the past updates have gone out quickly, we haven?t artificially held
up pushes and we will not do so going forward. We don?t, though, make
any forecasts or guarantees about turnaround time, this is to make sure
we deliver those fixes correctly.?
I hope that as we continue rolling out new workflows in CentOS Stream 9,
we will be able to provide more direct feedback on patch status at a
source code level. Just as a reminder you can view and participate in
development happening on Gitlab:
https://gitlab.com/redhat/centos-stream/
<https://gitlab.com/redhat/centos-stream/>
--Brian